This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials.

The malicious crate had 6 versions published from 2026-02-20 onwards and had no evidence of actual usage. There were no crates depending on this crate on crates.io.

Thanks to Eren for finding and reporting this to the Rust security response working group, and to Emily Albini for co-ordinating with the crates.io team.

The crates.io team advises anyone developing with Polymarket to review dependencies carefully. We are investigating ways to mitigate this attacker who appears to be very motivated to steal Polymarket credentials.